Data breaches can be quite a complicated issue for organizations. No matter how good, or bad, your cybersecurity is, sophisticated threat actors always seem to find a way to make life difficult for a CISO. It's then up to company leadership to make the right decisions. Disclose the breach, notify those affected, and talk with your security team about how to prevent a similar incident from happening in the future.
T-Mobile and Uber recently settled cases in which the companies faced massive data breaches but went about handling the situations quite differently.
T-Mobile data breach
Last year, T-Mobile investigated a post made on an underground forum that claimed 100 million user accounts had been compromised in a data breach.
It turned out to be approximately 80 million customers, and the data included Social Security numbers, phone numbers, names, physical addresses, unique IMEI (mobile device identifier) numbers, and driver license information. The company disclosed the data breach quickly after discovering it.
And last week, T-Mobile reached a settlement with the U.S. Securities and Exchange Commission (SEC), agreeing to pay $350 million to affected customers in a class action lawsuit, which will pay for claims by class members, the legal fees of plaintiffs' counsel, and the costs of administering the settlement. It also agreed to spend $150 million over the next two years to improve its data security.
The settlement "contains no admission of liability, wrongdoing, or responsibility by any of the defendants."
As far as data breaches go, T-Mobile did a fairly good job with incident response. But let's compare that with Uber.
Uber data breach
In 2016, Uber experienced a data breach that exposed the information of 57 million users and drivers. Instead of disclosing the breach to the Federal Trade Commission (FTC), as required by law, leadership attempted to cover it up to avoid public backlash.
The CEO at the time tried to pay the threat actors $100,000 to delete the data and keep the incident under wraps. The CSO was also involved in the situation and has been charged with obstruction of justice.
Once the CEO was fired, the new CEO stepped in and immediately began trying to fix the situation. This has led now to Uber entering a non-prosecution agreement with federal prosecutors to resolve the criminal investigation.
A July 22 statement from the U.S. Department of Justice says that "Uber admitted to and accepted responsibility for the acts of its officers, directors, employees, and agents in concealing its 2016 data breach from the Federal Trade Commission, which at the time of the 2016 breach had a pending investigation into the company's data security practices."
The company had previously been ordered to pay $148 million to settle civil litigation, and to implement "a corporate integrity program, specific data security safeguards, and incident response and data breach notification plans, along with biennial assessments."
The T-Mobile and Uber cases highlight two very different ways to handle a data breach.
Has your organization experienced some kind of data breach? How did you respond? Discuss in the comments below.